Coherence in distributed packet filters

Penz, Leandro Lisboa

January 2008

Redes de computadores estão sob constante ameaça, ainda mais quando conectadas à Internet. Para reduzir o risco, dispositivos de segurança como o filtro de pacotes são usados. Uma primeira camada de segurança, o filtro de pacotes é responsável pelo bloqueio do tráfego indesejado em posições chave da rede. Os pacotes que devem ser permitidos ou bloqueados pelo filtro são definidos através de um conjunto de regras programadas pelo administrador da rede. Essas regras tem duas partes: a seleção e a ação. Conforme cresce a rede e o número de serviços, a quantidade de regras tende a aumentar. Passado certo limite, a complexidade de manter uma quantidade grande de regras se torna um fardo para o administrador. Isso aumenta a probabilidade de enganos que podem prejudicar a segurança da rede. Este trabalho desenvolve o conceito de “anomalia”, cada qual representa um problema em potencial, uma contradição ou uma regra supérflua dentro do conjunto de regras; ou seja, cada anomalia alerta o administrador da rede para determinada situação. Há 7 tipos de anomalias, que podem ser divididos em dois grupos: anomalias de filtro único e anomalias em rede. As anomalias de filtro único alertam o administrador sobre regras que se contradizem (“bloqueio”) ou que não possuem efeito no filtro (“invisibilidade” e “redundância”). As anomalias em rede, por sua vez, alertam o administrador sobre filtros que se contradizem (“discordância”), filtros que bloqueiam tráfego desejado (“bloqueio”), regras que não se aplicam a nenhum pacote que passe pelo filtro onde estão (“irrelevância”) e roteadores que permitem a passagem de tráfego indesejado (“vazamento”). Cada um desses tipos de anomalia é definido formalmente e apresentado junto com um algoritmo que a encontra. As anomalias e seus algoritmos foram usados para implementar uma ferramenta, o Packet Filter Checker (PFC), que lê as regras e a descrição da topologia da rede e cria um relatório com todas as anomalias presentes. Este trabalho apresenta um caso de uso fictício que é analisado e corrigido com base nos resultados apresentados pela ferramenta. O caso de uso é apresentado em diversas iterações, cada uma representando alterações nos requisitos da rede. Este caso mostra a ferramenta e os conceitos no contexto-alvo: na ajuda ao administrador da rede. / Computer networks are under constant threat, even more when connected to the Internet. To decrease the risk of invasions and downtime, security devices such as the packet filter are deployed. As a first layer of security, the packet filter is responsible for blocking out unwanted traffic at key network locations. The packets dropped or forwarded by the filter are defined by a set of rules programmed by the network administrator. These rules are in the form of guarded commands, each with a condition and a decision section. As the number of services and networks grow, the number of rules tend to grow as well. Beyond a certain threshold, the complexity of maintaining such a large and distributed set of rules becomes a burden for the network administrator. Mistakes can be easily made, compromising security. This work develops the concept of “anomaly”, each representing a potential problem, a contradiction or a superfluous rule in the rule set; i.e. a warning to the system administrator. There are 7 types of anomalies divided in two groups: single filter anomalies and networked anomalies. The single-filter anomalies warns the administrator about rules that contradict one another (the “conflict” anomaly) or have no effect (“invisibility” and “redundancy”) in the analysed filter. The networked anomalies, on the other hand, analyse the filters in the context of the network topology and warn the administrator about filters that contradict one another (“disagreement”), filters that block desired traffic (“blocking”), rules that have no effect on the given network topology (“irrelevancy”) and routers that are enabling unwanted traffic (“leaking”). Each type of anomaly is formally defined along with its algorithm. The developed concepts were used to implement a tool — the Packet Filter Checker (PFC) — that reads a description of the rules and network topology in a simple custom language and reports all anomalies present. This tool is used to analyse and fix a fictional user case in several iterations of changing requirements. This shows the tool and the anomalies in the target context: where they help the network administrator.

Redes : Comunicacao : Dados

Seguranca : Redes : Computadores

Filtros : Pacotes

Packet filter

Firewall

Security policy

Policy conflict

Rule coherence

Addressing ambiguity within information security policies in higher education to improve compliance

Buthelezi, Mokateko Portia

06 1900

nformation security (InfoSec) policies are widely used by institutions as a form of InfoSec control measure to protect their information assets. InfoSec policies are commonly documented in natural language, which is prone to ambiguity and misinterpretation, thereby making it hard, if not impossible, for users to comply with. These misinterpretations may lead the students or staff members to wrongfully execute the required actions, thereby making institutions vulnerable to InfoSec attacks. According to the literature review conducted in this work, InfoSec policy documents are often not followed or complied with; and the key issues facing InfoSec policy compliance include the lack of management support for InfoSec, organisational cultures of non-compliance, intentional and unintentional policy violation by employees (the insider threat), lack of policy awareness and training as well as the policy being unclear or ambiguous. This study is set in the higher education context and explores the extent to which the non-compliance problem is embedded within the policy documents themselves being affected by ambiguity. A qualitative method with a case study research strategy was followed in the research, in the form of an inductive approach with a cross-sectional time horizon, whereby a selection case of relevant institutional InfoSec policies were analysed. The data was collected in the form of academic literature and InfoSec policies of higher education institutions to derive themes for data analysis. A qualitative content analysis was performed on the policies, which identified ambiguity problems in the data. The findings indicated the presence of ambiguity within the policy documents, making it possible to misinterpret some of the policy statements. Formal methods were explored as a possible solution to the policy ambiguity. A framework was then proposed to address ambiguity and improve on the clarity of the semantics of policy statements. The framework can be used by policy writers in paying attention to the presence of ambiguity in their policies and address these when drafting or revising their policy documents. / School of Computing / M. Sc.(Computing)

Formal methods

Policy ambiguity

Usable security

Policy clarity

Policy human aspects

Security policy compliance

Information policy

Information society

Universities and colleges

Stora stygga vargen? : Porträtteringen av Ryssland och dess inverkan på svensk försvars- och säkerhetspolitik, 2008–2018

Linna Lundström, Molly

January 2018

Drawing on a theoretical framework based on securitization and threat construction, the attempt in this study was to broaden the understanding of how the perception of a Russian threat in the Baltic Sea is influencing Swedish defence and security policy. The method used was based on Bacchis WPR-approach. Three questions were asked at the beginning of this study, regardning how Russia is viewed in Sweden, how the representation of Russia has changed from the war in Georgia in 2008 until 2018, as well as how Sweden is to strengthen it's defence capacity, nationally and through cooperation, to tacle the Russian threat. Four key aspects of Russian behaviour that is considered threatening were identified. Russia is viewed as a country with power ambitions and expansionist tendencies; characterised as tactically unpredictable; looked upon as a risk calculating actor; and considered misstrusting in its views of the West. The perception of Russia is complex which creates difficulties regarding how the threat is to be met. Policy makers have urged the strengthening of Swedish national defence capacity to create a conflict threshold in the region. To further strengthen this threshold, the bilateral defence cooperation with Finland has deepened. In addition, the question of military non-alignment has been raised in relation to a possible Swedish membership in Nato. The answer to whether or not Sweden should join depends on political affiliation. This underlines the theoretical assumptions; security and defence policy is not merely a response to an external circumstance, but rather the result of an interplay between circumstance and actor.

Baltic Sea

defence policy

Finland

national security

Nato

Russia

securitization

security policy

Sweden

threat construction

Political Science

Statsvetenskap

Trade of fish imported from Sub-Saharan Africa in the Cape Town Business district

Epo, Emilienne Ewee Ndofor

January 2017

Magister Philosophiae - MPhil (LAS) (Land and Agrarian Studies) / Fish remains a vital source of food, income, nutrition and livelihoods for millions of people in Africa. This study investigated the modalities of trading in fish imported from sub-Saharan Africa into South Africa in the Cape Town Metropolitan area. The research analyses the opportunities and constraints faced by retail fish traders and importers regarding the South African and Southern African Development Community (SADC) policies that are in place, to ascertain how far the policies go in facilitating the intra-regional fish trade. In addition, the study analyses consumer factors underlying the attractiveness of imported fish, the channels used for importation as well as the types and forms of fish imported into South Africa. The study employs a qualitative approach using semi-structured interviews with purposively selected key informant retailers, traders and City of Cape Town officials to collect the information. Findings show that shop owners and traders face challenges in relation to obtaining the required documents for trading, sanitary and phytosanitary certification and tariff and non-tariff barriers at borders. Some of these challenges include long and tedious procedures to acquire documents, as well as the limitations placed on the amount of goods traders can import. Consumers (mostly from the diaspora) prefer the taste of fish that they are used to, thereby creating an increasing demand for imported fish. National and regional policies put in place do not facilitate the trade in fish as well as current municipal regulations for retailing imported fish and other food types. The study also raises critical questions about the implementation of sanitary and phytosanitary standards by officials in the food shops. The thesis concludes that is it critical for national and regional policies to be coordinated and harmonised for enhanced intra-regional fish trade, which could contribute towards increased food security, nutrition and livelihoods.

Coherence in distributed packet filters

Penz, Leandro Lisboa

January 2008

Redes de computadores estão sob constante ameaça, ainda mais quando conectadas à Internet. Para reduzir o risco, dispositivos de segurança como o filtro de pacotes são usados. Uma primeira camada de segurança, o filtro de pacotes é responsável pelo bloqueio do tráfego indesejado em posições chave da rede. Os pacotes que devem ser permitidos ou bloqueados pelo filtro são definidos através de um conjunto de regras programadas pelo administrador da rede. Essas regras tem duas partes: a seleção e a ação. Conforme cresce a rede e o número de serviços, a quantidade de regras tende a aumentar. Passado certo limite, a complexidade de manter uma quantidade grande de regras se torna um fardo para o administrador. Isso aumenta a probabilidade de enganos que podem prejudicar a segurança da rede. Este trabalho desenvolve o conceito de “anomalia”, cada qual representa um problema em potencial, uma contradição ou uma regra supérflua dentro do conjunto de regras; ou seja, cada anomalia alerta o administrador da rede para determinada situação. Há 7 tipos de anomalias, que podem ser divididos em dois grupos: anomalias de filtro único e anomalias em rede. As anomalias de filtro único alertam o administrador sobre regras que se contradizem (“bloqueio”) ou que não possuem efeito no filtro (“invisibilidade” e “redundância”). As anomalias em rede, por sua vez, alertam o administrador sobre filtros que se contradizem (“discordância”), filtros que bloqueiam tráfego desejado (“bloqueio”), regras que não se aplicam a nenhum pacote que passe pelo filtro onde estão (“irrelevância”) e roteadores que permitem a passagem de tráfego indesejado (“vazamento”). Cada um desses tipos de anomalia é definido formalmente e apresentado junto com um algoritmo que a encontra. As anomalias e seus algoritmos foram usados para implementar uma ferramenta, o Packet Filter Checker (PFC), que lê as regras e a descrição da topologia da rede e cria um relatório com todas as anomalias presentes. Este trabalho apresenta um caso de uso fictício que é analisado e corrigido com base nos resultados apresentados pela ferramenta. O caso de uso é apresentado em diversas iterações, cada uma representando alterações nos requisitos da rede. Este caso mostra a ferramenta e os conceitos no contexto-alvo: na ajuda ao administrador da rede. / Computer networks are under constant threat, even more when connected to the Internet. To decrease the risk of invasions and downtime, security devices such as the packet filter are deployed. As a first layer of security, the packet filter is responsible for blocking out unwanted traffic at key network locations. The packets dropped or forwarded by the filter are defined by a set of rules programmed by the network administrator. These rules are in the form of guarded commands, each with a condition and a decision section. As the number of services and networks grow, the number of rules tend to grow as well. Beyond a certain threshold, the complexity of maintaining such a large and distributed set of rules becomes a burden for the network administrator. Mistakes can be easily made, compromising security. This work develops the concept of “anomaly”, each representing a potential problem, a contradiction or a superfluous rule in the rule set; i.e. a warning to the system administrator. There are 7 types of anomalies divided in two groups: single filter anomalies and networked anomalies. The single-filter anomalies warns the administrator about rules that contradict one another (the “conflict” anomaly) or have no effect (“invisibility” and “redundancy”) in the analysed filter. The networked anomalies, on the other hand, analyse the filters in the context of the network topology and warn the administrator about filters that contradict one another (“disagreement”), filters that block desired traffic (“blocking”), rules that have no effect on the given network topology (“irrelevancy”) and routers that are enabling unwanted traffic (“leaking”). Each type of anomaly is formally defined along with its algorithm. The developed concepts were used to implement a tool — the Packet Filter Checker (PFC) — that reads a description of the rules and network topology in a simple custom language and reports all anomalies present. This tool is used to analyse and fix a fictional user case in several iterations of changing requirements. This shows the tool and the anomalies in the target context: where they help the network administrator.

Redes : Comunicacao : Dados

Seguranca : Redes : Computadores

Filtros : Pacotes

Packet filter

Firewall

Security policy

Policy conflict

Rule coherence

O IMPACTO DA UTILIZAÇÃO DE TÉCNICAS DE ENDOMARKETING NA EFETIVIDADE DAS POLÍTICAS DE SEGURANÇA DA INFORMAÇÃO / THE IMPACT OF THE INTERNAL MARKETING ON INFORMATION SECURITY POLICY EFECTIVENESS

Ellwanger, Cristiane

12 June 2009

Protecting the information resources has been a big challenge to organizations. The constitution of an information security policy PSI can solve part of problems related to security but it can t solve them completely, because of the human resources, present in the internal environment of organizations, they can seriously compromise the effectiveness of an PSI. Since the endomarketing (internal marketing) is an instrument that can contribute to obtain or even to rescue the users commitment with the PSI, this present dissertation shows impact of endomarketing techniques in the policy effectiveness using the experimental research. Performed in the Intensive Cardiology Unit (UCI) and Intensive Care Adult (UTI) at Santa Maria University Hospital (HUSM), the experiment was constituted in an experimentation group (UCI), under the endomarketing directed different techniques and a control group (UTI) which it served as a basis to observation. In order to find the effectiveness of PSI on the referred units it was performed internal audits where the procedures, defined by the PSI were classified under the percentage way following the criteria: Non-Run Procedures (PNEs), Partially Implemented Procedures (PPEs) and Fully Implemented Procedures (PTEs).The experiment results show that both the control group as the experimentation group after the initial application of endomarketing techniques joined to implanted PSI on the respective units. However, after discontinuing the application of these techniques on the control group, it was observed a gradual decrease of percentages of PTEs by the components of this group that it decreased from 14,6% to 4,1% which it shows a decrease of 71,92% in the support to PSI in this group, if considered the PTEs. Already the continuous application of endomarketing techniques in the experimentation group did with that the procedures described in PSI were always presents in the users' mind, what generated a gradual increase in the percentage of PTEs. The percentage increased from 8,3% to 41,7% what reflects an improvement of 402,4% in the support to PSI in this group, if considered to PTEs. If considered the PNEs procedures, the continued application of endomarketing techniques in the experimentation group enabled a decrease of 88% against a increase of 12,6% in the control group and a high concentration of percentages on the partially or totally run procedures that added they reach 93,7% in the final evaluation. It is concluded then that the continuous application of endomarketing techniques improves the PSI effectiveness. / Proteger os recursos de informação tem sido um grande desafio às organizações. O estabelecimento de uma Política de Segurança da Informação (PSI) pode resolver parte dos problemas relacionados à segurança, mas não pode resolvê-los integralmente, pois os recursos humanos, presentes no ambiente interno das organizações, podem comprometer seriamente a efetividade de uma PSI. O endomarketig (marketing interno) é um instrumento que pode contribuir para se obter ou até mesmo resgatar o comprometimento dos usuários para com a PSI. A presente dissertação investiga o impacto da utilização de técnicas de endomarketing na efetividade da PSI, utilizando-se para tanto da pesquisa experimental. Realizado junto às Unidades de Cardiologia Intensiva (UCI) e Terapia Intensiva-Adulto (UTI) do Hospital Universitário de Santa Maria HUSM, o experimento foi constituído de um grupo de experimentação (UCI), sob o qual foram aplicadas diferentes técnicas de endomarketing e um grupo de controle (UTI), o qual recebeu apenas um nivelamento inicial. Para constatar a efetividade da PSI foram realizadas auditorias internas, nas quais os procedimentos definidos na PSI foram testados e classificados como: Procedimentos Não-Executados (PNEs); Procedimentos Parcialmente Executados (PPEs) e Procedimentos Totalmente Executados (PTEs). Os resultados do experimento demonstram que tanto o grupo de controle (UTI) quanto o grupo de experimentação (UCI) aderiram à PSI após a aplicação inicial de técnicas de endomarketing (nivelamento). Entretanto, após descontinuar a aplicação dessas técnicas no grupo de controle, observou-se uma diminuição gradativa dos percentuais de PTE pelos componentes deste grupo, que caiu de 14,6% para 4,1%, o que demonstra uma queda de 71,92% na adesão à PSI neste grupo, se considerado os PTE. Já a aplicação continuada de técnicas de endomarketing no grupo de experimentação fez com que os procedimentos descritos na PSI estivessem sempre presentes na mente dos usuários, o que gerou um aumento gradativo nos percentuais de PTEs. O percentual subiu de 8,3% para 41,7%, o que reflete uma melhora de 402,4% na adesão à PSI neste grupo, se considerado os PTEs. Se considerado os procedimentos PNEs, a aplicação contínuada de técnicas de endomarketing no grupo de experimentação possibilitou uma redução de 88%, contra um aumento de 12,6% no grupo de controle, e uma alta concentração de percentuais nos procedimentos parcialmente ou totalmente executados, que somados chegam a 93,7% na avaliação final. Conclui-se então que a aplicação contínua de técnicas de endomarketing melhora a efetividade da PSI.

Política de segurança da informação

Endomarketing

Recursos humanos

Segurança

Information security policy

Endomarketing

Human resources

Security

Análise da institucionalização do Programa de Aquisição de Alimentos (PAA) na CEAGESP : O caso do CEASA de Araraquara (SP)

Realino, Marco Aurélio Assunção

14 March 2016

Submitted by Izabel Franco (izabel-franco@ufscar.br) on 2016-10-05T14:00:32Z No. of bitstreams: 1 DissMAAR.pdf: 4999739 bytes, checksum: 26768c4ba4d929f9449266887e68e1ff (MD5) / Approved for entry into archive by Marina Freitas (marinapf@ufscar.br) on 2016-10-20T16:10:17Z (GMT) No. of bitstreams: 1 DissMAAR.pdf: 4999739 bytes, checksum: 26768c4ba4d929f9449266887e68e1ff (MD5) / Approved for entry into archive by Marina Freitas (marinapf@ufscar.br) on 2016-10-20T16:10:24Z (GMT) No. of bitstreams: 1 DissMAAR.pdf: 4999739 bytes, checksum: 26768c4ba4d929f9449266887e68e1ff (MD5) / Made available in DSpace on 2016-10-20T16:10:33Z (GMT). No. of bitstreams: 1 DissMAAR.pdf: 4999739 bytes, checksum: 26768c4ba4d929f9449266887e68e1ff (MD5) Previous issue date: 2016-03-14 / Não recebi financiamento / The food security issue has entered the public agenda after the World War II, when some countries started acting to eradicate poverty and hunger (SIMON, 2012). In Brazil, the issue became relevant after 2003, when the government made some policies to end the hunger as well as poverty, like the Programa de Aquisição de Alimentos (PAA). Thus, this research aims to analyze the possibility of the implementation of PAA in Companhia de Entrepostos e Armazéns Gerais de São Paulo (CEAGESP), which is a public company responsible for storage services and wholesale food market in São Paulo state. The analysis was first focused on the Ceasa Araraquara unity, as a diagnosis which can be applied on the other unities later. Therefore, some interviews were conducted with the managers of some CEAGESP's unities along with secondary data. The theorical referential was based on the Strategic Action Fields, to understand the power relations inside the fields of food secure. To lead a better understanding of the food secure policies it was made an historical analysis of the issue, first in a worldwide context and later in a national level. Finally, the results show primarily that the operation of the PAA by CEAGESP finds some barriers within political issues. Once those questions are overcome, it will become possible for the public company to execute the policy. / A temática Segurança Alimentar e Nutricional passou a ser relevante na agenda pública mundial a partir da Segunda Guerra Mundial, quando diversos países começaram a discutir meios e ações para o combate à fome (SIMON, 2012). No Brasil, a questão entrou na agenda do Estado a partir de 2003, quando foram sistematizadas ações de combate à fome (MACEDO et al, 2009), entre elas, a criação do Programa de Aquisição de Alimentos (PAA). Dessa forma, busca-se neste trabalho a análise da viabilidade da execução do PAA pela Companhia de Entrepostos e Armazéns Gerais de São Paulo (CEAGESP), empresa pública responsável por serviços de armazenagem e comercialização de hortifrútis no estado de São Paulo. O trabalho foca em um diagnóstico na unidade de Araraquara (SP), para que este possa servir posteriormente à todas as unidades da Companhia. Para tal, foram utilizados dados secundários e realizadas entrevistas com representes da CEAGESP. O referencial teórico utilizado foi a teoria de campos de ação estratégica, a qual buscou entender o jogo de poder existente nas diversas áreas referentes à segurança alimentar e nutricional no Brasil. Para o melhor entendimento do contexto explorado, foi feita uma revisão bibliográfica sobre a segurança alimentar e nutricional no plano internacional e no Brasil, assim como do Programa de Aquisição de Alimentos (PAA). Os resultados apontam que a operacionalização do Programa na CEAGESP esbarra, a priori, em algumas questões de ordem política e institucional que acabam dificultando, quando não impedindo, tal ação. Se estes conflitos forem superados, entende-se como plausível a execução do PAA na Companhia.

Segurança alimentar e nutricional

CEASA de araraquara

Mercado institucional

Food Security Policy

Institutional Market

Om solidaritet och ansvarstagande i världen : en diskursanalytisk studie kring internationaliseringen av svensk försvars- och säkerhetspolitik / About solidarity and responsibility in world order : a discourse analysis about the internationalisation of Swedish security and defence policy

Johansson, Daniel

January 2003

The world is increasingly coalescing, ecologically, economically and culturally. Many problems can no longer be solved within the own state borders and the limitation of the territorial state is obvious. Jürgen Habermas means that a world domestic politic without a world government is what this progress need. Therefore it is important that national interests become less central and the solidarity between people is given priority in international relations. The focus of this thesis is therefore a critical discourse analysis of the current position of the internationalisation of Swedish security and defence policy. The discourse analysis shows that the morality and solidarity is described as important issues for the increasing Swedish international military engagement. One conclusion of the discourse is that the peace no longer is something that Sweden retains on it’s own. Instead the peace is secured in co-operation with other states. Hence, in the presence of thefuture, it’s interesting to consider Immanuel Kants thought, zum ewigen Frieden.

Interdisciplinary studies

försvarspolitik

säkerhetspolitik

solidaritet

Habermas

Kant

defence policy

security policy

solidarity

TVÄRVETENSKAP

Social Sciences Interdisciplinary

A formação da nova agenda de segurança pública após 1988 : o empoderamento das guardas municipais

Silveira, Glaucia Bambirra

January 2018

Orientadora: Profa. Dra. Alessandra Teixeira / Dissertação (mestrado) - Universidade Federal do ABC, Programa de Pós-Graduação em Políticas Públicas, São Bernardo do Campo, 2018. / A presente dissertação analisa o processo de formação da agenda governamental e as mudanças ocorridas do período da Ditadura Militar à promulgação do Estatuto das Guardas Municipais, em 2014, com foco na segurança pública, especialmente na área de policiamento repressivo, militarizado e extensivo. O surgimento das secretarias de segurança urbana nos municípios do Brasil e o crescente empoderamento das guardas municipais, tanto em quantidade quanto na vertiginosa amplitude de atribuições frente às competências originalmente instituídas na Constituição Federal de 1988. As mudanças são irreversíveis e tendem a aumentar a conflituosidade de poder e espaço entre os componentes das guardas municipais e as polícias estaduais, principalmente a militar. / This dissertation analyzes the process of formation of the governmental agenda and the changes that occurred from the period of the Military Dictatorship to the promulgation of the Municipal Guard Statute in 2014, focusing on public security, especially in the area of repressive, militarized and extensive policing. The emergence of urban security secretariats in Brazilian municipalities and the increasing empowerment of municipal guards, both in quantity and in the vertiginous range of attributions vis-à-vis the competences originally established in the 1988 Federal Constitution. The changes are irreversible and tend to increase the conflict of power and space between the components of the municipal guards and the state police, especially the military police.

POLÍTICA DE SEGURANÇA PÚBLICA

FEDERALISMO

GUARDAS MUNICIPAIS

PUBLIC SECURITY POLICY

FEDERALISM

CITY GUARDS

Employees' Role in Improving Information Systems Security

Aliti, Admirim, Akkaya, Deniz

January 2011

Information security is one of the most essential concerns in today’s organizations. IT departments in larger organizations are tasked to implement security, by both ensuring to have pertinent hardware and software, and likewise enlighten, teach and educate organization’s employees about security issues. The aim of this research is to focus on the human factor of the organization, which impacts the security of the information, since technological solutions of technical problems become incomprehensible without human recognition about security. If the security is not addressed in firms, this might lead to essential data of the organization to be compromised. This study explores ways to enhance information security and improve the human factor by integrating the crucial information security elements in organizations. Social constructivist worldview is adopted throughout the study, and an inductive based - qualitative approach, a single case study design and hermeneutical analysis for analyzing the observations and interviews are utilized. The research setting for this study is Växjö Municipality in Sweden. The empirical investigation suggests that human factor plays an essential role in maintaining information security, and organizations can improve employees’ role by keeping their security policies up to date and find the best ways to disseminate that information. As a result, this research comes up with “information security human management model” for organizations.

Information security

information security policy

human factor in organizations

employees' role

Information Systems